Bug 728235 – avdec: Read free'd memory when thumbnailing

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 728235 - avdec: Read free'd memory when thumbnailing


Summary:	avdec: Read free'd memory when thumbnailing


Status:	RESOLVED DUPLICATE of bug 727779

Product:	GStreamer
Classification:	Platform
Component:	gst-libav
Version:	1.2.3
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	NONE
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-04-15 05:40 UTC by Olivier Crête
Modified:	2014-04-15 08:51 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Olivier Crête 2014-04-15 05:40:36 UTC

This is:
https://bugzilla.redhat.com/show_bug.cgi?id=1076977

I have a file where it's 100% reproducible with 1.2.3, but not with git master of gst-libav, so I can only assume it's already fixed and we should backport the right patch.


==22387== Invalid read of size 8
==22387==    at 0x121F85C9: gst_ffmpegviddec_video_frame (gstavviddec.c:1226)
==22387==    by 0x121F9277: gst_ffmpegviddec_frame (gstavviddec.c:1371)
==22387==    by 0x121F992B: gst_ffmpegviddec_handle_frame (gstavviddec.c:1491)
==22387==    by 0x354A21DB18: gst_video_decoder_decode_frame (gstvideodecoder.c:2832)
==22387==    by 0x354A21DE7C: gst_video_decoder_chain_forward (gstvideodecoder.c:1757)
==22387==    by 0x354A2200DC: gst_video_decoder_chain (gstvideodecoder.c:2037)
==22387==    by 0x3549262137: gst_pad_push_data (gstpad.c:3760)
==22387==    by 0x35496346D6: gst_base_transform_chain (gstbasetransform.c:2237)
==22387==    by 0x3549262137: gst_pad_push_data (gstpad.c:3760)
==22387==    by 0x354961679C: gst_base_parse_push_frame (gstbaseparse.c:2299)
==22387==    by 0x35496173DF: gst_base_parse_chain (gstbaseparse.c:2805)
==22387==    by 0x3549262137: gst_pad_push_data (gstpad.c:3760)
==22387==  Address 0x184bbde0 is 0 bytes inside a block of size 688 free'd
==22387==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==22387==    by 0x3B1F84EF7E: g_free (gmem.c:197)
==22387==    by 0x3B1F8655CA: g_slice_free1 (gslice.c:1124)
==22387==    by 0x121F7421: gst_ffmpegviddec_release_buffer (gstavviddec.c:551)
==22387==    by 0x12426C9A: release_delayed_buffers (pthread.c:521)
==22387==    by 0x12427CA7: ff_thread_flush (pthread.c:900)
==22387==    by 0x121F701F: gst_ffmpegviddec_flush (gstavviddec.c:1610)
==22387==    by 0x354A21EF98: gst_video_decoder_flush (gstvideodecoder.c:869)
==22387==    by 0x354A2259CB: gst_video_decoder_sink_event_default (gstvideodecoder.c:1114)
==22387==    by 0x3549260AB2: gst_pad_send_event_unchecked (gstpad.c:5035)
==22387==    by 0x35492612B3: gst_pad_push_event_unchecked (gstpad.c:4731)
==22387==    by 0x3549269B4D: gst_pad_push_event (gstpad.c:4854)

Comment 1 Tim-Philipp Müller 2014-04-15 08:51:49 UTC

Thanks for the bug report. This particular bug has already been reported into our bug tracking system, but please feel free to report any further bugs you find.

*** This bug has been marked as a duplicate of bug 727779 ***